General Data Protection Regulation

In 2016, the European Union approved a new law on data protection and privacy, which will enter into force in May 2018. The full title of the new law is Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC – in short, General Data Protection Regulation or GDPR.

The GDPR updates the whole set of rules of the EU regarding data protection, and harmonises the procedures for protecting the privacy rights of individuals. Because the GDPR is a Regulation, the EU has ensured that this topic is now more harmonized and citizens will have more legal certainty.

Before the GDPR, this topic was only regulated at EU level by a Directive. A Directive is a piece of EU legislation that only establishes common goals or objectives for the laws of every EU country to follow. Therefore, EU countries must adapt their laws to the common rules set by the Directive, using national laws. This means that there might be differences in the way each country adapts its own laws to the Directive.

A Regulation is a EU law that is directly applicable and enforceable in all the EU. It needs no adaptation at the national level. This assures that the law applicable in all EU countries is the same.

Why GDPR matters for cancer patients

European cancer patients' data play a critical role in the development of scientific research, mainly through clinical trials. Without patients' data, cancer research would not be possible, and therefore patients would not have access to new treatments, or better policy solutions to control cancer.

The collection, sharing and use of patients data is regulated by the GDPR. Since the GDPR affects data collected for scientific research activities, it has a direct impact on the future of the battle against cancer.

ECPC position

As patients, we acknowledge the role as partners in scientific research. Our data can be useful to enhance innovation, look for cures and advance in oncology. At the same time, the protection of our privacy is a priority.

Therefore, we requested that every safeguard should be put in place to minimise the risk of breaches in confidentiality, but we demanded at the same time that the Regulation would not lead to compromises in data quality.

The draft version of GDPR as amended by the European Parliament in 2014 had unintended consequences which could put at stake the viability of scientific research. In short, that draft put in place very strict rules that would hamper it. On the one hand, it introduced new rules on consent that would have imposed researchers to ask for a patient's specific consent to use anonymised data every single time a new research is carried out on that dataset, hindering the continuous research at every single use of the data. On the other hand, the draft version might have hampered also the collection of data by population-based cancer registries, which are our most important source of epidemiologic data.

Therefore, the survival of retrospective clinical research, biobanking, and population-based cancer registries in the EU was at stake. While transparency had to be ensured, processes for broader consent had to be put in place, to allow patients to legally authorise these very useful researches.

ECPC joined ESMO and other 8 organisations representing the European cancer community to express its deep concern, publishing a Position Paper that helped lawmakers to acknowledge the patients' voice.

What's next? Implementation

The final version of the Regulation was overall satisfactory. After some modifications that were done thanks to the scientific and patient community efforts, the final GDPR took into account some of the concerns expressed before.

The GDPR includes an article (89) that enables specific provisions for the data collection in scientific research. Of course, data collected for scientific research still has to be subject to appropriate safeguards, in particular minimising the risk of breaches in confidentiality, but the article recognises that the tight consent procedures of the Regulation might hamper the scientific research in some cases.

What the new article 89 does is to allow EU countries to adapt their own data protection laws permitting exemptions in scientific research.

Unfortunately, the GDPR leaves some room for interpretation to EU countries. The EU countries can individually set out the rules on few key aspects of the GDPR, including those on exemptions in scientific research.

As a consequence, there is the danger that data protection rules might not be the same across all EU countries. This can be very dangerous to the sharing of precious data, and therefore slow down both research and useful innovation to patients.

Thus, ECPC will now focus on the implementation of the GDPR, to make sure that the demands we expressed back in the drafting of the Regulation are still in place by the time it enters into force. However, most of the work remains at national level, in each EU country. Therefore, we urge our local and national members to step up their efforts in making their voice heard by lawmakers in their country, to make sure that the adaptations of data protection laws implement these derogations in a way that both patient's rights and viability of further research are respected.

If you need more information on the implications of GDPR to cancer patients or any other inquiry, please do not hesitate to contact us. If you want to join the efforts on this file to make sure that the implementation of the new data protection rules respects the patients' needs, we can provide you with more help, including assistance from ECPC's Legal Network.

You can directly contact Dan Cimpoeru, ECPC Board Member and initiator of the ECPC Legal Network for Cancer Patients, through this e-mail: dan.cimpoeru@ecpc.org